The Internet of Things likely to drive an upheaval for security

Analyst firm Gartner expects the Internet of Things (IoT) to drive a convergence of IT, physical and industrial control security practices over the next several years.

Much of the convergence will result from the sheer heterogeneity and number of devices that will become Internet-enabled by 2020. Current estimates range from Gartner's 26 billion devices to IDC's mind-boggling projection of 212 billion installed devices.

While most of the devices are unlikely to pose security threats, many will intersect with enterprise networks in the form of smart heating and lighting systems, equipment monitoring and maintenance sensors, industrial robots, asset tracking systems, plant control systems and personal devices such as fitness bands and smartwatches.

Managing those devices securely will require a combination of security skills, said Earl Perkins, Gartner analyst and the author of a new report that looks at the security implications of the IoT for CISOs.

"We are at the early stages of a major inflection point in security," Perkins said.

Most of the devices will be function-specific and use a variety of non-standard communication protocols. The devices will also feature embedded operating systems and software that provide little way for IT to add a security layer on top. Some devices will just be sensors for storing and forwarding data. Often, new devices will need to interact with older systems and software.

While IT organizations have been able to add some measure of protection to smartphones, tablets and other mobile devices in the workplace, they will find it hard to do the same with many of the devices that will comprise IoT in a few years.

Instead of layering protection at the device level, organizations may need to think about centralizing and aggregating security controls via gateway devices. The massive number of devices that will need to be managed in this way could pose new problems.

"There will be many different kinds of service providers who will contribute to security" in the enterprise, Perkins predicted. In addition to traditional security vendors, others like embedded application and operating system vendors and equipment manufactures will have a role to play, too.

"All of [these entities] will become players in the security space," Perkins noted. "Some will be customers of security and some will contribute to security."

Dealing with the real-time, event-driven applications and non-standard protocols that define much of IoT will require significant changes to app testing, vulnerability, identity and access management practices, Perkins said. It will also require changes to other practices such as governance, management and enforcement of security functions.

Just as mobile devices and the BYOD trend have forced IT managers to think differently about security, IoT will require companies to rethink what they do. The main difference is that the scale is magnitudes larger than what security managers deal with now, he said.

The challenge for IT is less about technology and more about getting ahead of the security curve. Many of the technology controls needed to secure a highly connected world already exist. What CISOs and other IT managers need to focus on are policy and process -- specifically, developing secure deployment practices and polices and putting in place architectural foundations for accommodating new IP-enabled devices.

The issues confronting IT are no different from the challenges they faced when migrating from mainframes to client/server or to mobile, the Web and the cloud. "Every time we have a major infection point, we seem to make the same mistakes. We allow it to get away from us and end up playing catch up for the next five to 10 years."

IoT presents another opportunity for IT to get ahead on security, Perkins said, "Just like every new generation of technology, we've got to be sanguine about how to approach it."

Copyright 2019 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.